The criminals behind the Storm botnet waited until the last minute, but they've finally started delivering unwanted Christmas presents.
Starting on Christmas Eve, Storm-infected machines began sending out Christmas-themed spam in yet another attempt to trick victims into downloading malicious software. In this case, the site is named Merrychristmasdude.com, and the malware is a variation of the Storm Trojan horse program that has been plaguing systems around the world since January.
The emails contain titles such as 'Find Some Christmas Tail', 'Warm Up this Christmas' and 'Mrs Clause Is Out Tonight'.
One message reads 'Yo, I am pretty sure this is up your alley, from the things you have told me before. This will be the best 2 min you spend this holiday. hehe'.
Once the user clicks on the link to Merrychristmasdude.com, he is taken to a Christmas-themed website with photos of scantily clad women and offered a free download. That download is a malicious program, called Email-Worm.Win32.Zhelatin.pd by F-Secure, that connects to a P-to-P (peer-to-peer) network and begins downloading even more malware.
Storm's creators have built up networks of infected PCs - called botnets - over the past year by using a combination of sophisticated hacking tricks to avoid detection and by spamming potential victims with clever and timely email messages. The network is called Storm because its original messages offered victims video of the deadly storms that battered Europe a year ago, but has also perfected the tactic of sending out holiday-themed messages.
Security experts estimate that the Storm has infected more than 15 million computers over the past year, although the current size of the network is much smaller than that.
This latest variant is being blocked by some antivirus vendors, including Kaspersky, Microsoft and Symantec, according to a technical write-up of the Christmas outbreak.
The SANS Internet Storm Center recommends that administrators block web and email access to the Merrychristmasdude.com domain.